AppSec Blog

Threat Modeling: A Hybrid Approach

Editor's Note: Today's post is from Sriram Krishnan. Sriram is a Security Architect at Pegasystems. In this post, Sriram introduces a hybrid threat modeling white paper addressing the limitations in traditional threat modeling methodologies.

In the face of increasing attacks at the application layer and enterprise applications moving towards the cloud, organizations must look at security not as just a function, but a key business driver. It goes without saying that it is the inherent responsibility of organizations to provide a secure operating environment for their customers and employees to protect their interest. Understanding the threat landscape is an important prerequisite for building secure applications. Unless people developing the software applications are aware of the threats that their applications exposed to in production, it is not possible to build secure applications. A SANS survey (2015 State of Application Security: Closing the Gap) indicates that threat assessment (which can also be referred to as threat modeling) is the second leading application security practice (next to penetration testing) for building secure web applications. This helps prove that threat modeling is a fundamental building block for building secure software.

Threat Modeling should be viewed as a pro-active security practice to identify security weakness in software applications early Software Development Lifecycle phase. This enables software developers to build software applications by understanding associated threats. There are various techniques published for performing threat modeling such as STRIDE, Attack Tree, and Attack Library. Organizations tend to be prejudiced towards a particular technique while performing threat modeling exercise. However these techniques have their own advantage and limitations in real-world implementation.

The STRIDE technique may be good in enumerating the threats, however STRIDE does not aid in developing countermeasures and mitigation plans. Attack Tree provides an overview about the attack surface at some level of abstraction, which results in not capturing data essential for understanding the threat scenario. Finally, Attack Library may provide information about the attack vectors and be suitable as checklist model, but does not contribute to a complete threat model. When implemented as separate techniques, some of the key aspects required for threat modeling may be missed, thus impacting the productivity and comprehensiveness of the exercise.
To reap the complete benefit of threat modeling, I propose utilizing a combination of modeling techniques to perform the various activities or tasks involved in the threat modeling process. This hybrid model eliminates limitations by adopting a structured approach, capturing optimum details, and representing the data in an intelligible way.

The following white paper analyses the various limitations of the STRIDE, Attack Tree, and Attack Library methodologies and presents a hybrid model that would implement the best techniques from each option.

A Hybrid Approach to Threat Modeling

I have also created a github project that contains a Threat Modeling Template for project teams to use as they get started:

Threat Modeling

About the Author
Sriram Krishnan (@sriramk21) is a cyber security professional with 12 years of experience, currently working as a Security Architect at Pegasystems Worldwide. He has worked with a leading internet service provider, big 4 consulting firm and global banks performing penetration testing, security architecture review, and advising on security best practices for global telecom industry, banking and financial services sector, and government entities.


Posted March 15, 2017 at 6:39 AM | Permalink | Reply

Satish Tirupathi

Great Paper Sriram. Proposed Threat Modeling Hybrid approach and template can be very helpful in Agile Secure SDLC projects.
Satish Tirupathi
Information Security Architect

Posted August 6, 2017 at 6:48 AM | Permalink | Reply

Melvyn Mildiner

Thank you for this work, Sriram. I think the case for your hybrid model is well-argued. It might be worth getting an editor to review the paper though ''" there are some typos.

Posted November 20, 2018 at 12:44 PM | Permalink | Reply

Gary Stevens

Another great paper for this is SafeCode's Tactical Threat Modeling. They do a great job of looking discussing threat management in multiple contexts.

Post a Comment


* Indicates a required field.